Malware

hrtng IDA Plugin : Elevating IDA’s Capabilities For Advanced Malware Analysis

hrtng IDA plugin is a collection of tools, ideas and experiments from different sources I’ve found interesting and useful in my reversing work.

A practical guide to the reverse of a complex malware using the example of dissecting a FinSpy module with help of hrtng IDA plugin on securelist

There is no one place in menu where all functionality of the plugin grouped together. hrtng menu items placed closer to logically related standard IDA & Hex-Rays decompiler functions. Messages, menu items, popup windows and dialog boxes belong to this plugin are marked with “[hrt]” prefix.

The plugin requires Hex-Rays decompiler presence in your IDA installation. The plugin can be compiled with IDA SDK >= 7.3 but not well tested with old versions.

Special thanks to following peoples for their great plugins were used as base for my work:

  • Milan Bohacek, hexrays_tools and hexrays_hlight
  • HexRaysDeob by Rolf Rolles and Takahiro Haruyama
  • Karthik Selvaraj Krypton plugin
  • Ali Rahbar, Ali Pezeshk and Elias Bachaalany GraphSlick plugin
  • Markus Gaasedelen AVX support for the Hex-Rays x64 Decompiler

Features Of The Plugin:

Automation

  • Pull up comments from disasm to pseudocode view
  • Automatic renaming local and global variables, struct members
  • Automatic enum substitution
  • COM helper

Interactive Pseudocode Transformation

  • User interactive renaming/retyping assistance
  • Assists with changing type of structure member or local/global variable
  • reinterpret_cast
  • Collapse selection
  • “offsetof” convertor

Decryption

  • Strings/data/const decryption
  • Build stack strings (optionally with decryption)
  • Build array strings (optionally with decryption)
  • Mass strings decryption

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

ROADTools: The Modern Azure AD Exploration Framework

ROADTools is a powerful framework designed for exploring and interacting with Microsoft Azure Active Directory…

1 day ago

How to Enumerate Microsoft 365 Groups Using PowerShell and Python

Microsoft 365 Groups (also known as M365 Groups or Unified Groups) are at the heart…

1 day ago

SeamlessPass: Using Kerberos Tickets to Access Microsoft 365

SeamlessPass is a specialized tool designed to leverage on-premises Active Directory Kerberos tickets to obtain…

2 days ago

PPLBlade: Advanced Memory Dumping and Obfuscation Tool

PPLBlade is a powerful Protected Process Dumper designed to capture memory from target processes, hide…

2 days ago

HikPwn : Simple Scanner For Hikvision Devices With Basic Vulnerability Scanning

HikPwn: Comprehensive Guide to Scanning Hikvision Devices for Vulnerabilities If you’re searching for an efficient…

3 days ago

Comments in Bash Scripts

What Are Bash Comments? Comments in Bash scripts, are notes in your code that the…

1 week ago